Chapter 8 desktop and server os vulnerabilities
1 / 63

Hands-On Ethical Hacking and Network Defense Second Edition - PowerPoint PPT Presentation

  • Uploaded on

Chapter 8 Desktop and Server OS Vulnerabilities. Hands-On Ethical Hacking and Network Defense Second Edition. Objectives. After reading this chapter and completing the exercises, you will be able to: Describe vulnerabilities of Windows and Linux operating systems

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Hands-On Ethical Hacking and Network Defense Second Edition ' - kevina

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 8 desktop and server os vulnerabilities

Chapter 8

Desktop and Server OS Vulnerabilities

Hands-On Ethical Hacking and Network DefenseSecond Edition


  • After reading this chapter and completing the exercises, you will be able to:

    • Describe vulnerabilities of Windows and Linux operating systems

    • Identify specific vulnerabilities and explain ways to fix them

    • Explain techniques to harden systems against Windows and Linux vulnerabilities

Windows os vulnerabilities1
Windows OS Vulnerabilities

  • Many Windows OSs have serious vulnerabilities

    • Windows 2000 and earlier

      • Administrators must disable, reconfigure, or uninstall services and features

    • Windows XP, Vista, Server 2003, Server 2008, and Windows 7

      • Most services and features are disabled by default

  • Good information source:

    • CVE Web site

      • Link Ch 8c, click on "CVE Search on NVD"

Windows file systems
Windows File Systems

  • File system

    • Stores and manages information

      • User created

      • OS files needed to boot

    • Most vital part of any OS

      • Can be a vulnerability

File allocation table
File Allocation Table

  • Original Microsoft file system

    • Supported by nearly all desktop and server Oss

    • Standard file system for most removable media

      • Other than CDs and DVDs

    • Later versions provide for larger file and disk sizes

  • Most serious shortcoming

    • Doesn’t support file-level access control lists (ACLs)

      • Necessary for setting permissions on files

      • Multiuser environment use results in vulnerability


  • New Technology File System (NTFS)

    • First released as high-end file system

      • Added support for larger files, disk volumes, and ACL file security

  • Subsequent Windows versions

    • Included upgrades for compression, journaling, file-level encryption, and self-healing

  • Alternate data streams (ADSs)

    • Can “stream” (hide) information behind existing files

      • Without affecting function, size, or other information

    • Several detection methods

Remote procedure call
Remote Procedure Call

  • Interprocess communication mechanism

    • Allows a program running on one host to run code on a remote host

  • Worm that exploited RPC

    • Conficker worm

  • Microsoft Baseline Security Analyzer

    • Determines if system is vulnerable due to an RPC-related issue


  • Software loaded into memory

    • Enables computer program to interact with network resource or device

  • NetBIOS isn’t a protocol

    • Interface to a network protocol

  • NetBios Extended User Interface (NetBEUI)

    • Fast, efficient network protocol

    • Allows NetBIOS packets to be transmitted over TCP/IP

    • NBT is NetBIOS over TCP

Netbios cont d
NetBIOS (cont’d.)

  • Systems running newer Windows OSs

    • Vista, Server 2008, Windows 7, and later versions

    • Share files and resources without using NetBIOS

  • NetBIOS is still used for backward compatibility

    • Companies use old machines

Server message block
Server Message Block

  • Used to share files

    • Usually runs on top of:

      • NetBIOS

      • NetBEUI, or

      • TCP/IP

  • Several hacking tools target SMB

    • L0phtcrack’s SMB Packet Capture utility and SMBRelay

      • It took Microsoft seven years to patch these

Server message block cont d
Server Message Block (cont’d.)

  • SMB2

    • Introduced in Windows Vista

    • Several new features

    • Faster and more efficient

  • Windows 7

    • Microsoft avoided reusing code

    • Still allowed backward capability

      • Windows XP Mode

    • Spectacular DoS vulnerabilities

      • Links Ch 8za-8zc

Laurent gaffi s fuzzer
Laurent Gaffié's Fuzzer

  • Look how easy it is!

  • From Link Ch 8zb

Common internet file system
Common Internet File System

  • Standard protocol

    • Replaced SMB for Windows 2000 Server and later

    • SMB is still used for backward compatibility

  • Remote file system protocol

    • Enables sharing of network resources over the Internet

  • Relies on other protocols to handle service announcements

    • Notifies users of available resources

Common internet file system cont d
Common Internet File System (cont’d.)

  • Enhancements

    • Locking features

    • Caching and read-ahead/write-behind

    • Support for fault tolerance

    • Capability to run more efficiently over dial-up

    • Support for anonymous and authenticated access

  • Server security methods

    • Share-level security (folder password)

    • User-level security (username and password)

Common internet file system cont d1
Common Internet File System (cont’d.)

  • Attackers look for servers designated as domain controllers

    • Severs handle authentication

  • Windows Server 2003 and 2008

    • Domain controller uses a global catalog (GC) server

      • Locates resources among many objects

Domain controller ports
Domain Controller Ports

  • By default, Windows Server 2003 and 2008 domain controllers using CIFS listen on the following ports

    • DNS (port 53)

    • HTTP (port 80)

    • Kerberos (port 88)

    • RPC (port 135)

    • NetBIOS Name Service (port 137)

    • NetBIOS Datagram Service (port 139)

    • LDAP (port 389)

    • HTTPS (port 443)

    • SMB/ CIFS (port 445)

    • LDAP over SSL (port 636)

    • Active Directory global catalog (port 3268)

Null sessions
Null Sessions

  • Anonymous connection established without credentials

    • Used to display information about users, groups, shares, and password policies

    • Necessary only if networks need to support older Windows versions

  • To enumerate NetBIOS vulnerabilities use:

    • Nbtstat, Net view, Netstat, Ping, Pathping, and Telnet commands

Web services
Web Services

  • IIS installs with critical security vulnerabilities

    • IIS Lockdown Wizard

      • Locks down IIS versions 4.0 and 5.0

  • IIS 6.0 and later versions

    • Installs with a “secure by default” mode

    • Previous versions left crucial security holes

  • Keeping a system patched is important

  • Configure only needed services

Sql server
SQL Server

  • Many potential vulnerabilities

    • Null System Administrator (SA) password

      • SA access through SA account

      • SA with blank password by default on versions prior to SQL Server 2005

    • Gives attackers administrative access

      • Database and database server

Buffer overflows
Buffer Overflows

  • Data is written to a buffer and corrupts data in memory next to allocated buffer

    • Normally, occurs when copying strings of characters from one buffer to another

  • Functions don’t verify text fits

    • Attackers run shell code

  • C and C++

    • Lack built-in protection against overwriting data in memory

Passwords and authentication
Passwords and Authentication

  • Weakest security link in any network

    • Authorized users

      • Most difficult to secure

      • Relies on people

    • Companies should take steps to address it

Passwords and authentication cont d
Passwords and Authentication (cont’d.)

  • Comprehensive password policy is critical

    • Should include:

      • Change passwords regularly

      • Require at least six characters

      • Require complex passwords

      • Passwords can’t be common words, dictionary words, slang, jargon, or dialect

      • Passwords must not be identified with a user

      • Never write it down or store it online or in a file

      • Do not reveal it to anyone

      • Use caution when logging on and limit reuse

Passwords and authentication cont d1
Passwords and Authentication (cont’d.)

  • Configure domain controllers

    • Enforce password age, length, and complexity

  • Password policy aspects that can be enforced:

    • Account lockout threshold

      • Set number of failed attempts before account is disabled temporarily

    • Account lockout duration

      • Set period of time account is locked out after failed logon attempts

  • Disable LM Hashes

Tools for identifying vulnerabilities in windows1
Tools for Identifying Vulnerabilities in Windows

  • Many tools are available

    • Using more than one is advisable

  • Using several tools

    • Helps pinpoint problems more accurately

Built in windows tools
Built-in Windows Tools

  • Microsoft Baseline Security Analyzer (MBSA)

    • Capable of checking for:

      • Patches

      • Security updates

      • Configuration errors

      • Blank or weak passwords

Using mbsa
Using MBSA (cont’d.)

  • System must meet minimum requirements

    • Before installing

  • After installing, MBSA can:

    • Scan itself

    • Scan other computers remotely

    • Be scanned remotely

Best practices for hardening windows systems1
Best Practices for Hardening Windows Systems (cont’d.)

  • Penetration tester

    • Finds and reports vulnerabilities

  • Security tester

    • Finds vulnerabilities

    • Gives recommendations for correcting them

Patching systems
Patching Systems (cont’d.)

  • Best way to keep systems secure

    • Keep up to date

      • Attackers take advantage of known vulnerabilities

  • Options for small networks

    • Accessing Windows Update manually

    • Configure Automatic Updates

  • Options for large networks

    • Systems Management Server (SMS)

    • Windows Software Update Service (WSUS)

  • Third-party patch management solutions

Antivirus solutions
Antivirus Solutions (cont’d.)

  • Antivirus solution is essential

    • Small networks

      • Desktop antivirus tool with automatic updates

    • Large networks

      • Require corporate-level solution

  • Antivirus tools

    • Almost useless if not updated regularly

Enable logging and review logs regularly
Enable Logging and Review Logs Regularly (cont’d.)

  • Important step for monitoring critical areas

    • Performance

    • Traffic patterns

    • Possible security breaches

  • Can have negative impact on performance

  • Review regularly

    • Signs of intrusion or problems

      • Use log-monitoring tool

Disable unused services and filtering ports
Disable Unused Services and Filtering Ports (cont’d.)

  • Disable unneeded services

  • Delete unnecessary applications or scripts

    • Unused applications are invitations for attacks

  • Reducing the attack surface

    • Open only what needs to be open, and close everything else

  • Filter out unnecessary ports

    • Make sure perimeter routers filter out ports 137 to 139 and 445

Other security best practices
Other Security Best Practices (cont’d.)

  • Other practices include:

    • Delete unused scripts and sample applications

    • Delete default hidden shares

    • Use different naming scheme and passwords for public interfaces

    • Be careful of default permissions

    • Use appropriate packet-filtering techniques

    • Use available tools to assess system security

    • Disable Guest account

Other security best practices cont d
Other Security Best Practices (cont’d.) (cont’d.)

  • Other practices include (cont’d.):

    • Rename (or disable) default Administrator account

    • Make sure there are no accounts with blank passwords

    • Use Windows group policies

    • Develop a comprehensive security awareness program

    • Keep up with emerging threats

The new challenge not in textbook

The New Challenge (cont’d.)(not in textbook)

The new challenge not in textbook1
The New Challenge (not in textbook) (cont’d.)

  • Patching not only the OS, but the applications too!

  • Following figures from Microsoft Security Intelligence Report Volume 8

    • Link Ch 8zd

Linux os vulnerabilities1
Linux OS Vulnerabilities (cont’d.)

  • Linux can be made more secure

    • Awareness of vulnerabilities

    • Keep current on new releases and fixes

  • Many versions are available

    • Differences ranging from slight to major

  • It’s important to understand basics

    • Run control and service configuration

    • Directory structure and file system

    • Basic shell commands and scripting

    • Package management

Samba (cont’d.)

  • Open-source implementation of CIFS

    • Created in 1992

  • Allows sharing resources over a network

    • Security professionals should have basic knowledge of SMB and Samba

      • Many companies have a mixed environment of Windows and *nix systems

  • Used to “trick” Windows services into believing *nix resources are Windows resources

Tools for identifying linux vulnerabilities
Tools for Identifying Linux Vulnerabilities (cont’d.)

  • CVE Web site

    • Source for discovering possible attacker avenues

Table 8-4 Linux vulnerabilities found at CVE

Tools for identifying linux vulnerabilities cont d
Tools for Identifying Linux Vulnerabilities (cont’d.) (cont’d.)

  • OpenVAS can enumerate multiple OSs

    • Security tester using enumeration tools can:

      • Identify a computer on the network by using port scanning and zone transfers

      • Identify the OS by conducting port scanning

      • Identify via enumeration any logon accounts

      • Learn names of shared folders by using enumeration

      • Identify services running

Checking for trojan programs
Checking for Trojan Programs a DHCP client vulnerability

  • Most Trojan programs perform one or more of the following:

    • Allow remote administration of attacked system

    • Create a file server on attacked computer

      • Files can be loaded and downloaded

    • Steal passwords from attacked system

      • E-mail them to attacker

    • Log keystrokes

      • E-mail results or store them in a hidden file the attacker can access remotely

Checking for trojan programs cont d
Checking for Trojan Programs (cont’d.) a DHCP client vulnerability

  • Linux Trojan programs

    • Sometimes disguised as legitimate programs

    • Contain program code that can wipe out file systems

    • More difficult to detect today

      • Protecting against identified Trojan programs is easier

  • Rootkits containing Trojan binary programs

    • More dangerous

    • Attackers hide tools

      • Perform further attacks

      • Have access to backdoor programs

More countermeasures against linux attacks
More Countermeasures Against Linux Attacks a DHCP client vulnerability

  • Most critical tasks:

    • User awareness training

    • Keeping current

    • Configuring systems to improve security

User awareness training
User Awareness Training a DHCP client vulnerability

  • Inform users

    • No information should be given to outsiders

      • Knowing OS makes attacks easier

    • Be suspicious of people asking questions

      • Verify who they are talking to

      • Call them back

Keeping current
Keeping Current a DHCP client vulnerability

  • As soon as a vulnerability is discovered and posted

    • OS vendors notify customers

      • Upgrades

      • Patches

    • Installing fixes promptly is essential

  • Linux distributions

    • Most have warning methods

Secure configuration
Secure Configuration a DHCP client vulnerability

  • Many methods to help prevent intrusion

    • Vulnerability scanners

    • Built-in Linux tools

    • Free benchmark tools

      • Center for Internet Security

    • Security Blanket

      • Trusted Computer Solutions